4 Motivation $ dig dadusual.com ;; ANSWER SECTION: dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A

5 Motivation $ dig dadusual.com ;; ANSWER SECTION: dadusual.com. 300 IN A cm hkcable.com.hk. dadusual.com. 300 IN A cm hkcable.com.hk. dadusual.com. 300 IN A pc109.host41.starman.ee. dadusual.com. 300 IN A cpe columbus.res.rr.com. dadusual.com. 300 IN A host qwerty.ru. dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A dadusual.com. 300 IN A

8 Introduction Availability is important for commercial services Techniques from the area of reliability engineering help to achieve availability RAID or failover systems Methods using DNS Round-robin DNS Content distribution networks (CDNs)

9 Introduction Availability is important for commercial services Techniques from the area of reliability engineering help to achieve availability RAID or failover systems Methods using DNS Round-robin DNS Content distribution networks (CDNs) $ dig myspace.com ;; ANSWER SECTION: myspace.com IN A myspace.com IN A myspace.com IN A

10 Introduction Availability is important for commercial services Techniques from the area of reliability engineering help to achieve availability RAID or failover systems Methods using DNS Round-robin DNS Content distribution networks (CDNs) $ dig myspace.com ;; ANSWER SECTION: myspace.com IN A myspace.com IN A myspace.com IN A

11 Introduction Availability is important for commercial services Techniques from the area of reliability engineering help to achieve availability RAID or failover systems Methods using DNS Round-robin DNS Content distribution networks (CDNs) $ dig myspace.com ;; ANSWER SECTION: myspace.com IN A myspace.com IN A myspace.com IN A

12 Introduction Availability is important for commercial services Techniques from the area of reliability engineering help to achieve availability RAID or failover systems Methods using DNS Round-robin DNS Content distribution networks (CDNs)

13 Introduction Note: illegal commercial organizations also need high availability Scammer only earns money if pharmacy shop is online Phisher needs to have phishing site online Our starting point: How do attackers achieve high availability?

14 FFSNs If scammers could advertise multiple IP addresses for a given domain, shutdown would be harder Botherder could use idea behind RRDNS to split botnet across multiple C&C server Technique used: Fast-flux service networks Fast change in DNS answers Recent paper by Honeynet Project

16 FFSNs Given fast-flux domain returns few IP addresses from large pool of compromised machines ( flux agents ) After the (low) TTL expired, return different subset ;; ANSWER SECTION: thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A

17 FFSNs Given fast-flux domain returns few IP addresses from large pool of compromised machines ( flux agents ) After the (low) TTL expired, return different subset ;; ANSWER SECTION: thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A ;; ANSWER SECTION: thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A

18 FFSNs Given fast-flux domain returns few IP addresses from large pool of compromised machines ( flux agents ) After the (low) TTL expired, return different subset ;; ANSWER SECTION: thearmynext.info. 600 IN A IP address thearmynext.info. returned A record 600 Reverse INDNS lookup A for IP address ASN Country thearmynext.info. 600 IN adsl.snet.net. A US thearmynext.info. adsl dsl.hstntx.sbcglobal.net. 600 IN A US thearmynext.info. 600 IN e adsl.alicedsl.de. A DE ac netvisao.pt PT ;; ANSWER SECTION: c hsd1.ga.comcast.net US thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A thearmynext.info. 600 IN A

26 Metric Attacker s restrictions in establishing FFSNs IP address diversity No physical agent control Possible distinguishing parameters Number of unique A records na in all lookups Number of NS records in single lookup nns Number of unique ASNs for all A records nasn

35 Other Abuses Storm Worm uses fast changing DNS entries to host web site with malware binary Observed more than 50K IP addresses in four week period Rock Phish, a large phishing group, uses FFSNs to host phishing site Observed 1,121 unique IP addresses in 4 days FFSNs could be used to host IRC, SMTP,...

38 Conclusion First empirical study of FFSNs, a new and emerging threat Developed a metric to automatically identify fastflux domains Empirical measurement results Future work Improve flux-score Estimate size of FFSN based on capturerecapture methods

40 Fluxiness Metric to distinguish FFSNs from benign domains can be defined as function of na, nns, and nasn Fluxiness: φ = na / nsingle nsingle is number of A records in single lookup φ = 1.0: constant set of A records returned φ = 2.0 in previous example Implicitly contained in na and nasn

LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way

FAQ (Frequently Asked Questions) Specific Questions about Afilias Managed DNS What is the Afilias DNS network? How long has Afilias been working within the DNS market? What are the names of the Afilias

Fast Flux Hosting and DNS ICANN SSAC What is Fast Flux Hosting? An evasion technique Goal Avoid detection and take down of web sites used for illegal purposes Technique Host illegal content at many sites

ACCEPTABLE USE AND TAKEDOWN POLICY This Acceptable Use and Takedown Policy ( Acceptable Use Policy ) of Wedding TLD2, LLC (the Registry ), is to be read together with the Registration Agreement and words

Studying Spamming nets Using Lab Arvind Krishnamurthy Joint work with: John John, Alex Moshchuk, Steve Gribble University of Washington nets: a Growing Threat Increasing awareness, but there is a dearth

the latest trend Spammers using common file formats as attachments for pumpand-dump scams This white paper explains what makes spam such an unbearable problem and how spamming tactics are evolving daily

Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 1, January 2014,

CERT Polska operates within the framework of the Research and Academic Computer Network CERT POLSKA REPORT AN ANALYSIS OF NETWORK SECURITY INCIDENTS FIRST HALF OF 2011 2 Contents How to read this document?

We Know It Before You Do: Predicting Malicious Domains Abstract Malicious domains play an important role in many attack schemes. From distributing malware to hosting command and control (C&C) servers and

Making Waves in the Phisher s Safest Harbor: Exposing the Dark Side of Subdomain Registries An APWG Industry Advisory Committed to Wiping Out Internet Scams and Fraud SUMMARY 3 WHAT IS A SUBDOMAIN REGISTRY?

LASTLINE WHITEPAPER The Holy Grail: Automatically Identifying Command and Control Connections from Bot Traffic Abstract A distinguishing characteristic of bots is their ability to establish a command and

As mentioned earlier, different layers of the protocol stack use different kinds of addresses. We can now see that the Transport Layer (TCP) uses port addresses to route data to the correct process, the

NSP Integration DNS Sinkhole with URL Sandboxing Botnets are a complex and pervasive form of cyber attack that has been used by attackers, for over a decade, to compromise millions of endpoints in order

White paper Phishing, Vishing and Smishing: Old Threats Present New Risks How much do you really know about phishing, vishing and smishing? Phishing, vishing, and smishing are not new threats. They have

Master Thesis as part of the major in Security & Privacy at the EIT Digital Master School SIDekICk SuspIcious DomaIn Classification in the.nl Zone delivered by Moritz C. Müller moritz.muller@utwente.nl

The following topics provide an overview of Security Intelligence, including use for blacklisting and whitelisting traffic and basic configuration. Security Intelligence Basics, page 1 Security Intelligence

December 2010 Report #48 With the holidays in full gear, Symantec observed an increase of 30 percent in the product spam category as spammers try to push Christmas gifts and other products. While the increase

Building a Dynamic Reputation System for DNS Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster College of Computing, Georgia Institute of Technology, {manos,rperdisc,dagon,wenke,feamster}@cc.gatech.edu

Surveying DNS Wildcard Usage Among the Good, the Bad, and the Ugly Andrew Kalafut, Minaxi Gupta, Pairoj Rattadilok, and Pragneshkumar Patel School of Informatics and Computing, Indiana University {akalafut,minaxi,prattadi,patel27}@cs.indiana.edu

Next-generation enterprise security platform Walter Doria Why do you need network, endpoint, and cloud working together? The network is best for identifying and controlling all traffic, preventing known

DDoS Attacks & Defenses DDOS(1/2) Distributed Denial of Service (DDoS) attacks form a significant security threat making networked systems unavailable by flooding with useless traffic using large numbers

CS 6262 - Network Security: Botnets Professor Patrick Traynor Fall 2011 Story 2 Botnets A botnet is a network of software robots (bots) run on zombie machines which run are controlled by command and control

Panda Cloud Email Protection 1. Introduction a) What is spam? Spam is the term used to describe unsolicited messages or messages sent from unknown senders. They are usually sent in large (even massive)

BOTNETS Douwe Leguit, Manager Knowledge Center GOVCERT.NL Agenda Bots: what is it What is its habitat How does it spread What are its habits Dutch cases Ongoing developments Visibility of malware vs malicious

1/2007 1 (5) INFORMATION SECURITY REVIEW 1/2007 During the first quarter of the year, received word about an unusual number of denial-ofservice attacks or attempts of those. The most noteworthy attacks

Ipswitch IMail Server with Integrated Technology As spammers grow in their cleverness, their means of inundating your life with spam continues to grow very ingeniously. The majority of spam messages these

Name: 1. What is an Enterprise network and how does it differ from a WAN? 2.,,,, and are key services that ISPs can provide to all customers. 3. Describe in detail what a managed service that an ISP might

To ensure the functioning of the site, we use cookies. We share information about your activities on the site with our partners and Google partners: social networks and companies engaged in advertising and web analytics. For more information, see the Privacy Policy and Google Privacy &amp Terms.
Your consent to our cookies if you continue to use this website.